You may want the Cyber Essentials or Cyber Essentials Plus certification for a few reasons:
- You need it for a public sector contract.
- You want to demonstrate to your clients that you take cyber security seriously.
- You want reassurance that you have core cyber security defences in place.
This blog piece should give you an understanding of the key elements of the Cyber Essentials standard, and also help determine if you're ready to be assessed, or whether you may need to make some changes to your IT defences first.
Please note that this is a high-level overview, and that the Cyber Essentials standard is periodically updated. Your chosen Cyber Essentials certification body should be able to discuss the current test specification in more detail prior to your assessment.
Common Cyber Essentials scheme questions
Before we dive into the details of each element of the assessment, it's worth covering off a few of the most common questions.
What's the difference between Cyber Essentials and Cyber Essentials Plus?
Firstly, if you're aiming to get certified in order to fulfil the requirements for a public sector contract, it's always worth double-checking if you actually need the "Plus" or not. It is harder to pass Cyber Essentials Plus than Cyber Essentials, so it may be preferable to attempt Cyber Essentials first if this is an option.
Cyber Essentials is all conducted remotely – you complete a Cyber Essentials questionnaire regarding your current cyber security defences, and we conduct vulnerability scans and configuration checks against your network via the internet.
Cyber Essentials Plus also contains the questionnaire and internet vulnerability scanning, but adds an onsite assessment, where we'll assess the security of your workstations (desktops, laptops, and tablets running "desktop" operating systems), and mobile devices (smartphones and tablets).
What's in scope for a Cyber Essentials assessment?
All internet-facing systems which are internally hosted are in scope. Additionally, externally hosted systems which are business critical, which host customer data, or connect to internal systems, will also be in scope.
For workstations (Cyber Essentials Plus only), we'd need to know details of standard builds, and the numbers of each build in use, to determine the required sampling numbers. If there are no standard builds or BYOD devices are in use, all devices are in scope and must be tested. Please note that tested devices must be in regular use – a non-standard "test" device, or a device which has been sitting in a cupboard for months, is unlikely to be securely configured, or up-to-date.
For mobile devices (Cyber Essentials Plus only), they are in scope only if they connect to your internal network. This may entail connecting to internal servers or connecting to non-guest internal WiFi.
Is the Cyber Essentials Plus accreditation easy to pass?
Unfortunately not… the key challenge is that Cyber Essentials is a "single point of failure" assessment – so failing any part of the assessment results in an overall fail. For example, a single out-of-date app on just one mobile device would fail the entire assessment.
Additionally, it can be challenging for very small companies which lack the required centralised control mechanisms over IT resources, or very large companies where it's more likely that something can "slip through the cracks" in centralised controls.
It can take multiple attempts to pass, but it's worth remembering that the changes which you need to make in order to pass do actually improve your overall security posture. For example, one client failed Cyber Essentials Plus due to out of date antivirus definitions on their workstations. They examined their update processes and discovered that there was excessive lag between their workstations polling their internal antivirus server for updates, and also between the internal antivirus server polling the external vendor's server for updates. By tightening up their antivirus update process, they decreased the lag, improved their security posture, and subsequently passed Cyber Essentials Plus.
Step 1: Cyber Essentials Questionnaire
The questionnaire is common to both Cyber Essentials and Cyber Essentials Plus, and will ask you questions relating to areas such as:
- Firewalls and other perimeter network defences.
- User account management (including admin accounts), and password policies.
- Workstation configuration and hardening.
- Logging and backups.
- Mobile device management.
- Malware protection mechanisms.
- Update management for workstations and mobile devices.
Essentially, the Cyber Essentials questionnaire is checking that your internal network, and the assets which connect to it, are centrally managed, securely configured, and up-to-date. The answers will be scored, leading to a pass or fail.
Whilst it is self-assessment, the answers need to be accurate as the assessor may question anything observed during the other phases of the assessment which appears to contradict the questionnaire. For example, if your questionnaire response states that your mobile devices are always kept up to date with operating system and app updates, but the assessor observes multiple out-of-date apps during the mobile devices assessment, the questionnaire response may need to be revised and re-scored.
Step 2: External Facing Systems
This phase is also common to both Cyber Essentials and Cyber Essentials Plus, and essentially checks the following areas:
- No "dangerous" services (such as Telnet) are exposed to the Internet.
- No Internet-exposed services have unpatched, easily-exploitable vulnerabilities.
- All sensitive information is protected by authentication.
- All authenticated services (including web login pages) are protected against brute-force login attacks by measures such as two-factor authentication, login attempt throttling, or account lockout.
- Weak or default passwords are not used for any authenticated services.
- No unsupported operating systems are in use.
All of the above are required in order to pass.
We'll assess these points through a combination of automated vulnerability scanning, and manual examination of exposed services. We may also need you to verify certain information which cannot be gained from an unauthenticated perspective.
Step 3: Workstations
This onsite phase of the assessment applies only to Cyber Essentials Plus, and covers the following areas.
Arbitrary file execution
These checks ensure that users can't download and run arbitrary, and potentially malicious, executables. This applies to files downloaded via web browsers, and email attachments. These can include directly executable file types, as well as executables within containers (such as Zip files), or macros within Microsoft Office documents. To pass, it is required that:
- Users are either completely blocked from running the downloaded executables, or must accept a clear security warning before running them.
- Any files containing known virus signatures are blocked.
Whichever mechanism of malware protection you use (most commonly, antivirus software), it needs to be effective (for example, performing on-access scanning), and up-to-date (both the antivirus engine, and definitions).
An authenticated patch scan will be performed against all sampled workstations. The operating system and all installed software need to be currently in support (i.e. receiving vendor updates), and not have any unpatched, easily-exploitable vulnerabilities.
Common configuration issues will be checked, such as ensuring that standard users don't have local admin rights, and that users have individual rather than shared logins.
Step 4: Mobile Devices
These checks cover the following areas:
- The mobile operating system is still supported (i.e. receiving periodic updates from the vendor).
- The mobile operating system and all apps are up-to-date.
- The device has access restricted by a PIN / password / biometrics.
So, am I ready to pass Cyber Essentials?
Have a look at the sections above covering the questionnaire, external facing systems, workstations, and mobile devices, and consider if you have the required tools, processes, and procedures in place - is everything centrally managed, and locked down? If so, consider booking a Cyber Essentials assessment with an approved certification body.
However, here are some indicators that you may not yet be ready for Cyber Essentials, and changes to your IT may be required:
- BYOD devices (workstations or mobiles) are in use which connect to the internal network. These lack the ability for centralised management and control, and all devices (not a sample) would need to be tested. The assessment would be lengthy, and likely to fail.
- Workstations are individually configured with excessive permissions or weak configurations, rather than deployed from standard, hardened builds. All devices (not a sample) would need to be tested. The assessment would be lengthy, and likely to fail.
- Lack of central management of workstations (Group Policy, central antivirus, central patch management) or mobile devices (Mobile Device Management) to ensure that they are securely configured, and up-to-date.
- Lack of central management of servers (logging and backups) to facilitate business continuity or incident management.
- Mobile devices have internal network access, but do not actually need it. This unnecessarily puts them in scope for assessment, resulting in a greater chance of failing.
- Lack of control over internet-exposed services – either unnecessary services or sensitive information are exposed, or exposed services are unpatched or have configuration weaknesses.
- Unsupported hardware or software is in use.
If these cases apply, certification bodies such as Dionach can provide help to improve your security posture, so that you're ready for assessment.
We hope this has clarified any questions you have regarding the Cyber Essentials and Cyber Essentials Plus assessment process. Please contact Dionach at firstname.lastname@example.org to find out more about Cyber Essentials.